Phishing Scams

Mitigate phishing scams with help from Mimecast

Phishing scams and spear-phishing threats are on the rise, causing disruption and damage to enterprises everywhere. Designed to fool your employees into reviewing credentials, passwords and other confidential information, phishing scams are involved in more than 90 percent of hacking attacks today¹.

The impact of phishing scams on profitability and productivity is huge. Breaches can cost millions, destroying corporate reputations and significantly degrading customer loyalty. Protecting your organization from phishing threats is critical — and that's where Mimecast can help.

Mimecast's secure email solutions offer comprehensive defense against phishing scams and other advanced threats, as well as data leaks and routine threats like spam, malware and viruses. Offering always-on, always up-to-date protection that eliminates the cost1 and complexity of traditional offerings, Mimecast's email security solutions provide enterprise-grade protection so you and your organization breathe easier.

¹ "How to Bridge the Email Security Language Gap Between IT and the C-Suite" – Mimecast blog post by Orlando Scott-Cowley, 10/2015

Stop phishing scams with targeted threat protection

Mimecast Targeted Threat Protection extends Mimecast's Secure Email Gateway to provide state-of-the-art defenses against malicious links in email and weaponized attachments – the two forms of attacks most often used in phishing scams. By scanning all email in real time and blocking employees from opening suspicious links and attachments, Mimecast helps prevent users from inadvertently downloading malware sharing confidential information. Mimecast also provides dynamic user awareness tools reinforcing security policies and helping employees better assess the risk of email-borne threats.

With Mimecast Targeted Threat Protection, you can:

• Get comprehensive protection against phishing scams without the need for additional IT overhead or infrastructure.
• Provide instant protection for all devices on and off the corporate network without disruption to users.
• Activate protection against phishing scams quickly thanks to Mimecast's cloud-based platform.
• Gain deeper insight with real-time, end-to-end threat analysis and granular reporting.

Two types of protection against phishing scams

Mimecast secure email solutions provide defense against phishing scams on two fronts.

Targeted Threat Protection – URL Protect rewrites URLs in all inbound email, scanning destination websites in real time for possible threats before opening a link in the user's browser. If a site is deemed suspicious, Mimecast displays a warning page and blocks access to the website. Mimecast scans URLs on every click to protect against the possibility of a legitimate site being compromised at a later date.

Targeted Threat Protection – Attachment Protect preemptively sandboxes email attachments, checking for malware before delivering them to employees. Attachment Protect also provides the option to convert attachments into a safe file format that neutralizes any malicious code.

Learn more about Mimecast's protection against phishing scams as well as other Mimecast solutions for Data Leak Prevention and Secure Email Messaging.

FAQs: Phishing scams

What are phishing scams?

Phishing scams are a type of cybercrime designed to trick someone into revealing personal data such as passwords, credit card numbers, bank account details, Social Security numbers and other sensitive information by sending communications that impersonate a trusted or legitimate company.

How do phishing scams work?

The most common phishing scams use email messages that appear to be from a legitimate or trusted company. These messages encourage recipients to visit a fraudulent website where their personal information is collected and where malware may be downloaded to their computer. Phishing emails are designed to mimic the branding of a legitimate company and, usually with a sense of urgency, they require the recipient to provide information in order to gain a reward or avoid negative consequences. Common techniques in phishing scams include:

• Reporting that there is suspicious activity on an account and that users must login immediately.
• Claiming that there is a problem with a payment.
• Attaching a fake invoice that, when opened, launches a malware attack.
• Announcing that an account is about to be deactivated.
• Offering discounts, rewards and even free money.
• Threatening legal action or negative consequences – these are typical in phishing emails that purport to be from government agencies.
• Suggesting that the recipient has a technical issue which must be fixed.

How to report phishing scams?

When you receive an email that appears to be a phishing scam, you should first report it to your company and your IT department, then to your email provider and to the company that the phishing scam is impersonating. It’s also important to report phishing scams to the agencies that work to prevent and prosecute phishing scams, including the Federal Trade Commission (www.ftc.gov/complaint), the Cybersecurity and Infrastructure Security Agency (phishing-report@us-cert.gov), and the Anti-Phishing Working Group (www.antiphishing.org/report-phishing.)

How to recognize phishing scams?

While phishing scams are increasingly sophisticated, there are a number of common indicators that users can watch for to avoid being duped.

• Mismatched email addresses. Many phishing emails are sent under the guise of a trusted company, from addresses that are similar but not exact matches of the company’s domain. By hovering a cursor over the “from” address, users can see whether the sender’s actual email domain is an exact match or just a close facsimile -- e.g., paypal.com and paypa1.com
• Mismatched URLs. Often the text links within a phishing email don’t match the URL that the link is pointing to. If users hover a cursor over any link within the email, they can see the address that the link will take them to when clicked. User should be suspicious of any links that don’t match.
• Missing names. Most legitimate and trusted companies will use a recipient’s name within the body of email. Emails that use “Dear customer” or similar greetings should be viewed suspiciously.
• Requests for personal information. Legitimate companies don’t ask you to click a link to provide sensitive information like passwords, credit card numbers, credit scores or bank account information.
• Urgent messages. Phishing scams use urgency to encourage users to act quickly and without inspecting the content of the email too closely.
• Threats. Emails that threaten legal action or loss of privileges, money or access are more likely to be phishing scams.
• Poor grammar and misspellings. The copy in many phishing scams is not well written and often uses strange language and misspelled words.

How to avoid phishing scams?

Companies can help employees avoid phishing scams by providing security awareness training that helps users to spot the telltale signs of a phishing email. Companies can also deploy anti-phishing technology that includes:

• Anti-spam and anti-malware software.
• DMARC authentication that determines whether email sent from a specific domain is legitimate or fraudulent.
• Technology that scans email and prevents users from clicking URLs or opening attachments deemed to be malicious.
• Anti-impersonation technology that scans email for indications of social engineering techniques used in advanced phishing scams.

Additionally, companies can encourage employees to use two-factor authentication to prevent attackers from gaining access to accounts should users fall prey to phishing scams.